Archive

I was struck with a sense of disappointment as I read Bob Wardspan’s (Smoothspan) blog today “NASA Fiddles While Rome Is Burning.” So as Bob was rubbed the wrong way by Alex Howard’s post (below,) so too was I by Bob’s perspective. All’s fair in love and space, I suppose.

In what amounts to a scathing indictment of new areas of innovation and research, he laments the passing of the glory day’s of NASA’s race to space, bemoans the lack of focus on planet-hopping, and chastises the organization for what he suggests is their dabbling in spaces they don’t belong:

Now along comes today’s NASA, trying to get a little PR glory from IT technology others are working on. Yeah, we get to hear Vinton Cerf talk about the prospects for building an Internet in space. Nobody will be there to try to connect their iGadget to it, because NASA can barely get there anymore, but we’re going to talk it up. We get Lewis Shepherd telling us, “Government has the ability to recognize long time lines, and then make long term investment decisions on funding of basic science.” Yeah, we can see that based on NASA’s bright future, Lewis.

Bob’s upset about NASA (and our Nation’s lost focus on space exploration. So am I. However, he’s barking up the wrong constellation. Sure, the diversity of different technologies mentioned in Alex Howard’s blog on the NASA IT Summit are wide and far, but NASA has always been about innovating in areas well beyond the engineering of solid rocket boosters…

Let’s look at Cloud Computing — one of those things that you wouldn’t necessarily equate with NASA’s focus. Now you may disagree with their choices, but the fact that they’re making them is what is important to me. They are, in many cases, driving discussion, innovation and development. It’s not everyone’s cup of tea, but then again, neither is a Saturn V.

NASA didn’t choose to cut space exploration and instead divert all available resources and monies toward improving the efficiency and access to computing resources and reducing their cost to researchers. This was set in motion years ago and was compounded by the global economic meltdown.

The very reasons the CIO’s (Chief Information Officers) — the people responsible for IT-related mission support — are working diligently on new computing platforms like Nebula is in many ways a direct response to the very cause of this space travel deficit — budget cuts. They, like everyone else, are trying to do more with less, quicker, better and cheaper.

The timing is right, the technology is here and it’s an appropriate response. What would you have NASA IT do, Bob? Go on strike until a Saturn V blasts off? The privatization of space exploration will breed all new sets of public-private partnership integration and information collaboration challenges. These new platforms will enable that new step forward when it comes.

The fact that the IT divisions of NASA (whose job it is to deliver services just like this) are innovating simply shines a light on the fact that for their needs, the IT industry is simply too slow. NASA must deal with enormous amounts of data, transitive use, hugely collaborative environments across multiple organizations, agencies, research organizations and countries.

Regardless of how you express your disappointment with NASA’s charter and budget, it’s unfortunate that Bob chose to suggest that this is about “…trying to get a little PR glory from IT technology others are working on” since in many cases NASA has led the charge and made advancements and innovated where others are just starting. Have you met Linda Cureton or Chris Kemp from NASA? They’re not exactly glory hunters. They are conscientious, smart, dedicated and driven public servants, far from the picture you paint.

In my view, NASA IT (which is conflated as simply “NASA”) is doing what they should — making excellent use of taxpayer dollars and their budget to deliver services which ultimately support new efforts as well as the very classically-themed remaining missions they are chartered to deliver:

To improve life here,

To extend life to there,

To find life beyond.

I think if you look at the missions that the efforts NASA IT is working on, it certainly maps to those objectives.

To Bob’s last point:

What’s with these guys? Where’s my flying car, dammit!

I find it odd (and insulting) that some seek to blame those whose job is mission support — and doing a great job of it — as if they’re the cause of the downfall of space exploration. Like the rest of us, they’re doing the best they can…fly a mile in their shoes.

Better yet, take a deeper look at to what they’re doing and how it maps to supporting the very things you wish were NASA’s longer term focus — because at the end of the day when the global economy recovers, we’ll certainly be looking to go where no man and his computing platform has gone before.

Italian
officials charge Google Global Privacy Counsel Peter Fleischer* with
criminal charges of defamation and failure to exercise control over
personal data two years after Google posted a video depicting fellow
students harassing a student with Down syndrome.

Unlike Italian
Internet service providers, who are not responsible for posted content,
content providers like Google can be held liable for delivered
materials.

According to the International Association of Privacy
Professionals, the charges are thought to be the first criminal
sanction ever pursued against a privacy professional for his company's
actions.

You can see the original story from the International Association of Privacy Professionals (IAPP) here.

The implications of this are quite profound as you can imagine. CEO's and CFO's can be held accountable for crimes committed under their watch, so it's not too far of a stretch to see how privacy officers like Fleischer will have their feet held to the fire when subject to international law that takes a different perspective on the responsibilities associated with privacy than we might.

How many indictments have we had in the U.S. for the release of information in corporate breaches? The U.K.?

I'm not making a judgment call on this particular case because I certainly don't have all of the details, but it sets a very interseting precedent.

Imagine if you were a Chief Privacy Officer or perhaps a Chief Information Officer subject to this sort of scrutiny outside of the due care and stewardship requirements of the job in general. If something bad happens, generally the worst thing that might occur is you lose your job.

Imagine if you were personally liable for the posting of content from millions of users globally and could be sentenced to share a shower and a cell with an angry Italian man who can't get a decent cappuccino. I can't imagine what that would be like.

This may be the first time a privacy professional has been charged on behalf of the company he/she is employed by, but I will bet this won't be the last time it happens, either.

Besides the impact this can have on employees of providers of service, Google suggests it calls into focus larger issues of Net Neutrality:

Google issued a statement
late Feb. 2 stressing the company's sympathy for the victim and his family, but
insisted, "We feel that bringing this case to court is totally
wrong. It's akin to prosecuting mail service employees for hate speech letters
sent in the post.

What's more, seeking to hold neutral platforms liable
for content posted on them is a direct attack on a free, open Internet. We
will continue to vigorously defend our employees in this prosecution."

An interesting argument for sure and one I can see being debated vigorously. It's clear Google operates globally, so they must understand this sort of thing could happen. What about Facebook (sorry, Chris) or MySpace? What happens when Amazon is used to host data that is mishandled by someone. What then?

Imagine what fun it's going to be when we're all cloudified and the mash-up frenzy makes the cross-pollenization of information today look orderly; who's responsible then?

What do you think? Should privacy officers be liable for events like this? Should CSO's/CISO's and Compliance Managers be liable when a breach occurs exposing protected information? Think about that answer very carefully.

Thanks to Mr. Stiennon, it seems that I have been labeled a threat to the People’s Party and access to this, my seditious and politically undermining little pile in cyberspace has been, gasp!, blocked by the eeeeeviill Chinese Firewall of Disinformation. Well, that sucks.

I have to say that Richard really did me a favor by posting this.

Firstly, it reminded me that despite my many travels, I’ve become quite an American-centric little drone without much of an appreciation for the hardships experienced by those in many other countries as it relates to censorship and net neutrality. We take a lot of things for granted over here and in many cases Americans seem to wield the hammer of nationalism a little to heavily, even if inadvertently.

I was reminded of this by a high-ranking member of a British Telecoms company recently when, despite all attempts to rectify my ill-timed transgressions, he suggested that my sense of humor needed a much better cultural filter applied to it should I not wish to piss people off with my "Americanism." Ouch. I find it odd typing this because I’m somewhat culturally conflicted
because whilst I was born in the U.S. and love it dearly, I moved to
New Zealand and grew up there for most of my early life.

It made me think, so I really do owe you both a renewed apology and a thanks, Ray.

Secondly, I would really like to be able to use something like Google to compare natively a search using any one of their engines to determine where, what and how searches and click-throughs are allowed or blocked in the countries they serve. I reckon that as we get closer to GooglePOPs around the world, this ought to be plausible.

At any rate, back to the post at hand. I quoteth Richard:

On my recent travels in China I had an opportunity to experience first
hand China’s so called “Golden Wall”. In each hotel I would try to get to several sites. For some reason this security blog
is censored throughout China. How does that make you feel Mr. Hoff? And
a Google search on “Tibet” will have the usual results but you cannot
click through to any of the links on the first page of results. I did
not search on Falun Gong for
fear of really setting off the alarms and reprisals. Next time I think
I will set up GoToMyPC at home and use it as a poor man’s proxy.

To answer Richard’s question directly, I guess I’m flattered on two fronts; firstly that Richard bothered to try to get to my blog while surfing in China (bored much?) and secondly that some government other than my own considers me a threat to their sovereignty.

I could, of course, rant tirelessly about my opposition to widespread and targeted filtering of information and the impact on privacy, etc., but there are far more qualified people than I to do so. At a much more basal level, I think it sucks, because now nobody in China will be able to follow along as Richard and I smack each other. ;(

In protest, no more General Tsao’s chicken for me.

{Posted @ 2:30am after I just got back from Blackhat/Defcon with no luggage. Apologies for any perceived lack of sensitivity for the greater global political issue of censorship here, but I want my toothbrush back from United Airlines and it’s clouding my judgment}

I was just leaving the office for a client dinner last night when I noticed I
couldn’t get to my TypePad blog, but I chalked it up to a
"normal" Internet experience.

When I fired up Firefox this morning (too much wine last night to care) I was surprised to say the least.

I am just awestruck by the fact that yesterday’s PG&E power outage in San Francisco took down some of the most popular social networking and blogging sites on the planet. Typepad (and associated services,) Craigslist, Technorati, NetFlix etc…all DOWN. (see bottom of post for a most interesting potential cause.)

I’m sure there were some very puzzled, distraught and disconnected people yesterday. No blogging, no secondlife, no on-line video rentals. Oh, the humanity!

I am, however, very happy for all of the people who were able to commiserate with one another as they apparently share the same gene that renders them ill-prepared for what is one of the most common outage causalities on the planet: power outages.

Here’s what the TypePad status update said this morning:

Update: commenting is again available on TypePad blogs; thank you for your patience. We are continuing to monitor the service closely.

TypePad blogs experienced some downtime this afternoon due to a
power outage in San Francisco, and we wanted to provide you with the
basic information we have so far:

The outage began around 1:50 pm Pacific Daylight Time

TypePad blogs and the TypePad application were affected, as well as LiveJournal, Vox and other Six Apart-hosted services

No data has been lost from blogs. We have restored access to blogs as well as access to the TypePad application. There
may be some remaining issues for readers leaving comments on blogs; we
are aware of this and are working as quickly as possible to resolve the
issue. (See update above.)

TypePad members with appropriate opt-in settings should have
received an email from us this afternoon about the outage. We will
send another email to members when the service has been fully restored.

We will also be posting more details about today’s outage to Everything TypePad.

We are truly sorry for the frustration and inconvenience that
you’ve experienced, and will provide as much additional information as
possible as soon as we have it. We also appreciate the commiseration
from the teams at many of the other sites that were affected, such as
Craigslist, Technorati, Yelp, hi5 and several others.

I don’t understand how the folks responsible for service delivery of these sites, given the availability and affordability of technology and hosting capability on-demand, don’t have BCP/DR sites or load-balanced distributed data centers to absorb a hit like this. The management team of Sixapart has experience in companies that understand that the network and connectivity represent the lifeblood of their existence; what the hell happened here in that there’s no contingency for power outages?

Surely I’m missing something here.

Craigslist and Technorati are services I don’t pay for, so one might suggest taking the service disruption with a grain of SLA salt (or not, because it still doesn’t excuse not preparing for issues like this with contingencies) but TypePad is something I *pay* for. Even my little hosting company that houses my personal email and website has a clue. I’m glad I’m not a Netflix customer, either. At least I can walk down to Blockbuster…

Yes, I’m being harsh, but I there’s no excuse for this sort of thing in today’s Internet-based economy. It affects too many people and services but really does show the absolute fragility of our Internet-tethered society.

Common sense obviously didn’t make the feature list on the latest production roll. Somebody other than me ought to be pissed off about this. Maybe when Data Center 3.0 is ready to roll, we won’t have to worry about this any longer 😉

/Hoff

Interestingly, one of the other stories of affected sites relayed the woes of 365 Main, a colocation company, whose generators failed to start when the outage occurred. I met the the CEO of 365 Main when he presented at the InterOp data center summit on the topic of flywheel UPS systems which are designed to absorb the gap between failure detection and GenStart. This didn’t seem to work as planned, either.

You can read all about this interesting story here. This was problematic because the company had just issued a press release about a customer’s 2-year uninterrupted service the same day 😉

Valleywag reported that the cause of the failure @ 365 Main was due to a drunk employee who went berserk!This seemed a little odd when I read it, but check out how the reporter from Valleywag is now eating some very nasty Crow … his source was completely bogus!

Jon Oltsik crafted an interesting post today regarding the bifurcation of opinion on where the “intelligence” ought to sit in a networked world: baked into the routers and switches or overlaid using general-purpose compute engines that ride Moore’s curve.

I think that I’ve made it pretty clear where I stand. I submit that you should keep the network dumb, fast, reliable and resilient and add intelligence (such as security) via flexible and extensible service layers that scale both in terms of speed but also choice.

You should get to define and pick what best of breed means to you and add/remove services at the speed of your business, not the speed of an ASIC spin or an acquisition of technology that is neither in line with the pace and evolution of classes of threats and vulnerabilities or the speed of an agile business.

The focal point of his post, however, was to suggest that the real issue is the fact that all of this intelligence requires exposure to the data streams which means that each component that comprises it needs to crack the packet before processing. Jon suggests that you ought to crack the packet once and then do interesting things to the flows. He calls this COPM (crack once, process many) and suggests that it yields efficiencies — of what, he did not say, but I will assume he means latency and efficacy.

So, here’s my contentious point that I explain below:

Cracking the packet really doesn’t contribute much to the overall latency equation anymore thanks to high-speed hardware, but the processing sure as heck does! So whether you crack once or many times, it doesn’t really matter, what you do with the packet does.

Now, on to the explanation…

I think that it’s fair to say that many of the underlying mechanics of security are commoditizing so things like anti-virus, IDS, firewalling, etc. can be done without a lot of specialization – leveraging prior art is quick and easy and thus companies can broaden their product portfolios by just adding a feature to an existing product.

Companies can do this because of the agility that software provides, not hardware. Hardware can give you scales of economy as it relates to overall speed (for certain things) but generally not flexibility.

However, software has it’s own Moore’s curve or sorts and I maintain that unfortunately its lifecycle, much like what we’re hearing @ Interop regarding CPU’s, does actually have a shelf life and point of diminishing return for reasons that you’re probably not thinking about…more on this from Interop later.

John describes the stew of security componenty and what he expects to see @ Interop this week:

I expect network intelligence to be the dominant theme at this week’s Interop show in Las Vegas. It may be subtle but its definitely there. Security companies will talk about cracking packets to identify threats, encrypt bits, or block data leakage. The WAN optimization crowd will discuss manipulating protocols and caching files, Application layer guys crow about XML parsing, XSLT transformation, and business logic. It’s all about stuffing networking gear with fat microprocessors to perform one task or another.

That’s a lot of stuff tied to a lot of competing religious beliefs about how to do it all as Jon rightly demonstrates and ultimately highlights a nasty issue:

The problem now is that we are cracking packets all over the place. You can’t send an e-mail, IM, or ping a router without some type of intelligent manipulation along the way.

<nod> Whether it’s in the network, bolted on via an appliance or done on the hosts, this is and will always be true. Here’s the really interesting next step:

I predict that the next bit wave in this evolution will be known as COPM for "Crack once, process many." In this model, IP packets are stopped and inspected and then all kinds of security, acceleration, and application logic actions occur. Seems like a more efficient model to me.

To do this, it basically means that this sort of solution requires Proxy (transparent or terminating) functionality. Now, the challenge is that whilst “cracking the packets” is relatively easy and cheap even at 10G line rates due to hardware, the processing is really, really hard to do well across the spectrum of processing requirements if you care about things such as quality, efficacy, and latency and is “expensive” in all of those categories.

The intelligence of deciding what to process and how once you’ve cracked the packets is critical.

This is where embedding this stuff into the network is a lousy idea.

How can a single vendor possibly provide anything more than “good enough” security in a platform never designed to solve this sort of problem whilst simultaneously trying to balance delivery and security at line rate?

This will require a paradigm shift for the networking folks that will either mean starting from scratch and integrating high-speed networking with general-purpose compute blades, re-purposing a chassis (like, say, a Cat65K) and stuffing it with nothing but security cards and grafting it onto the switches or stack appliances (big or small – single form factor or in blades) and graft them onto the switches once again. And by the way, simply adding networking cards to a blade server isn’t an effective solution, either. "Regular" applications (and esp. SOA/Web 2.0 apps) aren’t particularly topology sensitive. Security "applications" on the other hand, are wholly dependent and integrated with the topologies into which they are plumbed.

It’s the hamster wheel of pain.

Or, you can get one of these which offers all the competency, agility, performance, resilience and availability of a specialized networking component combined with an open, agile and flexible operating and virtualized compute architecture that scales with parity based on Intel chipsets and Moore’s law.

What this gives you is an ecosystem of loosely-coupled BoB security services that can be intelligently combined in any order once cracked and ruthlessly manipulated as it passes through them governed by policy – and ultimately dependent upon making decisions on how and what to do to a packet/flow based upon content in context.

The consolidation of best of breed security functionality delivered in a converged architecture yields efficiencies that is spread across the domains of scale, performance, availability and security but also on the traditional economic scopes of CapEx and OpEx.

My recent adventure involved climbing Mt. Meru and Mt. Kilimanjaro in Tanzania. It was awesome. I’m long overdue in blogging the event.

The reason that I and my 4 compadres decided to climb Kili was because of the "fact" that ultimately the glacial packs atop Kilimanjaro would shortly disappear. Recent forecasts suggested that within 10 years they would be completely gone.

So, imagine my surprise when we summited in -25 degrees (F) to come face to face with this 100 foot tall monster @ nearly 20,000 feet. It was truly an awesome spectacle.

I was expecting a small bit of snow and some compacted ice forms. I didn’t expect 80-100 foot glacial ice fields!

Pair that with a current BBC article that suggests that ultimately the glaciers will be around for at least 30-40 years and while I’m not discounting the global warming effect, I am happy to note that these magnificent walls of ice will be here for at least a while longer.

This is great news. I’m glad that it’s not as bad as was originally forecasted because it’s an awesome sight after 8 hours of the summit deathmarch slog; hopefully my kids will be able to join me if I do it again and we can see it together.

Firstly, my apologies to both Ron and Stephen for the grotesque visual…especially when you consider that this ridiculous analog is all the more absurd when you consider that I’m suggesting I’m the bologna in the middle.

Ew.

As I write this, I regret it immediately.

I’m referring to being included — along with the usual cast of characters; Rothman, Shimel, Williams, Stiennon, etc. — in ITSecurity.com’s Top 59 Influencers in IT Security listing. I’m #24, right in between Gula and Toulouse! This is how we roll, yo!

I’m sure Alan’s going to complain that Amrit beat him out for #1, but I find it hysterical that John Thompson and Tom Noonan are below me! Technically, I’m listed twice; once in the bloggers section and again under the Corporate Security Officers section.

The only way this list is in actual order of anything is the possibility that the ranking represents the number of complaints regarding content from my rabid blog readership of 4 (and you know who you are.) Nonetheless, thanks for voting 6 times each, ya’ll!

BOSTON MA, March 3 /PRNewswire/ - Rational Security BlogoDomination Corp. (RSBC) announced its intention today to continue the expansion of its consolidation strategy in the overly saturated Security Blog Market with the unsolicited hostile takeover bid and acquisitionof Alan Shimel's "StillSecure After All These Years (SSAATY)" Blog.

Christofer Hoff, CEO and Dark Overlord of the SecurityBlogsolidation Dominion, today announced that upon release of SSAATY's recent earnings report showing a marked uptake in revenues with income hovering at over $18 per month, that RSBC would offer an unheard of 20X revenue multiplier in a stock-for-stock exchange andan "I (heart) NAC" bumper sticker.

Alan Shimel, SSAATY's CEO/CTO/CMO/CIO/CFO/CSO refused comment other than to crisply and vehemently rejectHoff's bid citing unacceptable terms; balking at only a 20X multiplier, he pointed to Ken Xie's $4B sale of NetScreen to Juniper and suggested that Hoff "...get real if he expects this bulls**ttakeover attempt to warrant any sort of attention other than a trackback and lower Technorati rating."

Art Coviello, CEO of RSA, complemented his prognostications from his recent 2007 RSA Security Conference keynote wherein he stated that there would there not be any independent security companies in 3 years, and Hoff's RSBC would "...subsume all security blogs within the same timeframe." Mike Rothman was quoted as "...not givinga crap because neither of them purchased a copy of the P-CSO."

Hoff's response was just as shrill, "If Shimel doesn't pony up like the little bitchthat he is, I'll buy his lap dog Mitchell's blog instead."

Contact:

Christofer Hoff Alan ShimelCEO and Dark Overlord of the Security CEO/CTO/CMO/CIO/CFO/CSOBlogsolidation Dominion StillSecure After All These Yearssatanwithacheckbook@packetfilter.com finallygotanexit@stillsecureafteralltheseyears.com

I am astounded by this statement. I violently disagree with this assertion.

Virtualization may have not changed the underlying mechanisms of CSMA/CD or provided the capability to exceed the speed of light, but virtualization has absolutely and fundamentally affected the manner in which networks are designed, deployed, managed and used. You know, network architecture.

Whether we’re talking about VLAN’s, MPLS, SOA, Grid Computing or Storage, almost every example of data center operations and network design today are profoundly impacted by the V-word.

Furthermore, virtualization (of transport, storage, application, policy, data) has also fundamentally changed the manner in which computing is employed and resources consumed. What you deploy, where, and how are really, really important.

More importantly (and relevant here) is that virtualization has caused architects to revisit the way in which these assets and the data that flow through them, is secured.

And to defray yet another "blah blah…big iron…large enterprise….blah blah" retort, I’m referring not just to the Crossbeam way (which is heavily virtualized,) but that of Cisco and Juniper also. All Next Generation Network Services are in a low-earth orbit of the mass that is virtualization.

"Virtualization of the routed core. Virtualization of the data and control planes. Virtualization of Transport. Extending the virtualized enterprise over the WAN. The virtualized access layer." You know what those are? Chapters out of a Cisco Press book on Network Virtualization which provides "…design guidance" for architects of virtualized Enterprises.

I suppose it’s only fair that I ask Mike to qualify his comment, because perhaps it’s another "out-of-context-ism" or I misunderstood (of course I did) but it made me itchy reading it.

Firstly, I really like debating elements with Ptacek. He’s a really, really smart guy. Somewhat misguided, but a really, really smart guy. I’m honored that he picks on me. Really.

He picked on Bejtlich the other day. Given this association, I believe I have solved the Poincaré conjecture which has something to do with math, intractability and doughnuts. Mmmmm. Doughnuts.

Here, he mentions in response to my post regarding my Chicago presentation, that Cisco will crush Crossbeam. Privately he gave me a date and time, but I told him that I wouldn’t repeat when because it might affect his Cisco stock value.

Secondly, I can only giggle about Thomas’ choice for his blog entry title ("Cisco can kill Crossbeam any time it wants…") relating how Cisco will assimilate us all…I remember that same Borg-like prediction about how Microsoft would crush the Linux movement and how no other OS would stand a chance.

I believe Thomas is still using a Mac today…

At any rate, I started with Crossbeam almost exactly a year ago. The funny thing about crossing over from a security practitioner to working for a security vendor is that all your credibility goes out the window instantly.

I get this, it’s part of the game, but I refuse to bow to the notion that the last 15 years of my life and the credibility it has earned is erased by this singular event, so I go on assuming that my opinions count as they always have – like the paper they’re written on.

Almost always, I end up arguing with people who have either only been a vendor or an analyst and short of securing their home networks have never actually been a CISO of a company whose assets have monetary value with the word “billions” preceeding it. I have. I argue from that point and the beliefs that come from that perspective. Yes, I am biased. I was before I came to Crossbeam, too.

The one thing that makes it difficult to sort out addressing someone who is as long-winded as I am is figuring out which parts of the debate are religious, marketing, technical or dogma.

Thomas is obviously reacting to my post playing the role of Cisco’s VP of Marketing, despite his disclaimers to the opposite. I will answer disguised as a cabaret dancer from Ohio. I hope that’s not confusing. If nothing I say makes sense, I’ll just ask you to rent the movie “Showgirls” and you’ll forget all about this security nonsense.

So I’ve read his retort to my post/presentation, and I’m going to respond to the things I think are worth responding to because a good chunk of his posting doesn’t really address my points – they defend Cisco’s misses. Yet I digress…

Ptacek starts out all right, doing a good job of summarizing the sentiment of both my post and my presentation:

Chris’ argument has three salients:

Cisco’s Self-Defending Network Architecture (the successor to SAFE) is just marketecture.

Cisco hasn’t put its money where its mouth is on integration of security into its mainline platforms (the Cat and routers).

Security belongs at a “service layer”, virtualized over the entire network, not as point-deployed boxes (IPS) or embedded into the infrastructure (IPS blade).

I really could just stop here because I’ve yet to find anyone (besides Thomas) who would actually disagree with any of those points, so why continue? 😉

But, he did, so I will…

1. Is SDNA “marketecture”? Of course it is. SDNA is code for “sole-source network security from Cisco”. Sniping at SDNA’s credibility is as silly as sniping at the Cisco SAFE architecture in 2001: absolutely nobody designs networks according to these “schemes”. SDNA is a “why we did it” story that is retrofit onto Cisco’s evolving product lines to make it seem like they have strong management and a real vision.

But Chris’ argument isn’t about SDNA. It’s about whether enterprises should sole-source from Cisco, with around $1b in security sales, or consider vendors like Crossbeam that post sales less than 8% of that.

That’s right, my argument is that you shouldn’t sole-source your security solutions from a single vendor who claims competency in 15+ categories of security without demonstrating it, ever, except with a checkbook.

Also, just to double-check, Thomas, in Cisco math, a $200,000 Cat6500 switch with two FWSM blades is still $200,000 of “security sales,” right? Uh-huh. How about those “negative margin” deals…

That’s a fine argument to make, but if you’re going to build it on Cisco’s inability to run a real playbook, you can’t cherry pick Cisco’s weakest messages. SDNA may be meaningless. NAC isn’t. Even if it doesn’t work yet, it’s actionable and it’s changed the way people think about securing their network, and when Cisco buys the company that can really deliver on it for large enterprises, NAC is going to cause Crossbeam huge headaches.

Cherry-pick their weakest message? SDNA is their message, Thomas! DVVM and Quad-play is dependent upon this underlying message that “security is the network.” I didn’t make this up, Cisco did.

You just contradicted yourself hugely. In the first paragraph you said that “…absolutely nobody designs networks according to these “schemes”” but somehow that’s affected the way in which folks secure their networks!? You’re right…they take a look at the Cisco method and realize it doesn’t work and look for other solutions.

Also, I just love the “…you just wait until Cisco buys something that actually works” sentiment!

By the way, Crossbeam doesn’t have to fear when Cisco gets NAC working (which is the most hysterical comment you’ve made,) because we can simply get a best-of-breed partners’ NAC application running on our platforms…no cash, no development, no fuss. In fact, we are already in the process of doing that.

Furthermore, when you say NAC, you mean CNAC. But which CNAC are you referring to? The one that didn’t completely pan-out (CSA) or the new-and-improved Clean Access? You know, the same Clean Access that requires ANOTHER appliance to be added to the network to function and is purdy much a Cisco-only solution…

2. If you’re an indie network security vendor with a pulse, the idea of Cisco embedding IPS and firewalls into every Cat switch and access router puts you in a cold sweat. Is Cisco full of shit about this plan? Reasonable people will disagree, but the answer will be “no”.

See, I don’t think they’re full of shit. I just think they’re not a security company and aren’t executing on their vision in a manner consistent with the customers they serve outside of the SMB. The Enterprise strategy is showing cracks and they are very distracted across an immense portfolio. They’re trying to re-group on the convergence front, but there’s pressure there, too. All the while, security plods on.

First, the existence proof: the ISR. Large enterprises buy them by the hundreds. It’s one of Cisco’s most successful products ever. And it’s a direct threat to the branch/satellite-office market that is the primary revenue multiplier for indie perimeter security vendors —- Crossbeam’s bread and butter.

The ISR is fantastic…and if you’re a branch/satellite-office company I’d suggest it’s a very good product – still only provides limited security functionality and that’s why Cisco sells ASA’s with them.

Also, if you’re suggesting that the SMB/Branch perimeter is Crossbeam’s “bread and butter” you are completely and absolutely incorrect. 90% of our revenue comes from Large enterprise data center consolidation and service provider/MSSP/mobile operator customers. Your definition of the “perimeter” needs work as does your understanding of what we do…again.

Cisco does more than $10b a year in Cat switching alone; by revenue, their grip on that market is comparable to Microsoft’s lock on operating systems. All it takes for Cisco to launch completely integrated network security is a credible ASA blade for the Cat6k. How far out can that be? Enterprises already buy the Firewall Switch Module.

Actually, the ASA isn’t their answer to the aging FWSM, the ACE and VSA are…and it’s got a long way to go. By the way, who said that I’m suggesting we’re out to crush Cisco? Beating them where they do a lousy job is a very nice living by your own math above. How far out? You’ll have to ask them.

And finally there’s the obvious point to be made about NAC and Cisco Security Agent, the alien larvae Cisco is trying implant into host security. NAC is a lot of bad things, but “un-integrated” is not one of them.

You’re right, but you forget that "un-integrated (?)" does not equal “functional.” You’re also a couple of months late on this argument already…please see above. I think your a little out-of-date on where Cisco is with CNAC…please see the report above for a very interesting look at the Gartner report.

Basically, every indie vendor has a talking point about how Cisco should just stick to the connectivity that they’re good at. This stuff all sounds good at first, but c’mon. Cisco doesn’t own connectivity because they make the best routers and switches. To claim that their routing (perimeter) and switching (internal) real estate doesn’t give them a dominant position in security is to claim that the perimeter and internal networks aren’t implicated in security. Delusional.

A dominant position or an advantage in hocking their wares because there’s some box that might be a platform to deploy it someday or today in pieces? I’d say the latter. Where is my bottle of Zoloft, anyway?

I agree, they haven’t done it yet, but I’ll make a statement that’s sure to get me yelled at: as soon as Cisco decides it’s ready, it can end companies like Crossbeam, Checkpoint, and SourceFire within 18 months. Isn’t not doing that, and running security as a totally seperate business unit, one of the big mistakes they made in the 90s?

Oh, OK. They haven’t because instead of feeding the hungry, bestowing Linksys DSL routers to everyone in Kentucky or donating to stop the killing in Darfur, they’ve instead decided to give kindly by not destroying their competitors.

Jesus, I had no idea! Thanks for clearing that up.

Security is now under Jayshree’s organization which is routing/switching, and I don’t believe it has ever been a separate unit. It should be. That way if it doesn’t pan out they can just scrap-heap it and say that it’s a feature, not a market.

3. Does it make sense to deploy security uniformly across the whole network, defending secretary desktops the same way you defend iSCSI servers or server-agent management consoles? No. Security should be focused on assets.

Hey, that’s a great point. I think I made it! Please tell me how they do that?

But exactly what does this have to do with network architecture? Read Chris’ slides and it seems to mean “the way to architect your network is to hang Cisco boxes off of a couple Crossbeams in your core”.

Not quite, but your extreme-isms are starting to have me think you should write for Al-Jazeera. How about quoting what I actually talked about…you know, like build a fast, reliable, resilient and responsive network infrastructure and overlay security as a combination of security services which provides the absolute best-of-breed security in combination where you need it, when you need it and at a price tag where the risk justifies the cost.

But that’s what you meant, right? 😉

The points Thomas pins his venom on below are from a single slide in the preso which is basically a Letterman’s top-10 spoof. Some of them are purposely meant to incite, others are humorous, some are leverage points for the rest of the discussion that the audience and I had.

I’ll respond to some of them because many of Thomas’ objections are out of context and some are just to silly to respond to. If you really, really want a line-by-line, I’ll do it. Y’all just let me know 😉

2. When’s the last time a network guy could perform a byte-level forensic trace of a Botnet C&C channel or a security guy troubleshoot a nasty BGP route-reflector distribution problem?

I don’t know. You might try asking Dug Song at Arbor, Kirby Kuehl at Cisco, or any of the Team Cymru guys. When’s the last time a security guy bought a Cisco product? Hint: it happened 5 times while you read this sentence.

Ummmm…I was referring to the average security and network practitioner in a stove-piped Enterprise or service provider, not the rest of the crew from your Saturday afternoon flag-football squad 😉

These guys, like you, are not representative of the typical folks who have to actually use the stuff we’re talking about.

You know, customers.

3. Managing threats and vulnerabilities is not the same as managing risk; networks don’t understand the value of the data traversing it..how can they protect it accordingly?

Cisco is not an ethernet cable. “The network” is whatever your vendor says it is. In Crossbeam’s case, “the network” is Cisco and “security” is everything else, including Checkpoint and SourceFire, both of whom sell products that Cisco has pin-compatible substitutes for.

Do any of these companies “understand the data”? No, I agree, they don’t. Is “understanding the data” important? Then let’s suspend the conversation until Cisco buys Vontu and Crossbeam partners with Vericept.

Pin-compatible? Label-compatible, perhaps. I think this is exactly the divergence that’s at the crux of the debate here, as the “quality” of the individual security solutions on their own (appliance or embedded) versus how they work as part of an architecture is the issue. That’s my point, but it’s not a bullet-in-a-list sort of answer.

Also, I don’t care about Cisco buying Vontu, but what makes you think that we’re not already talking (and haven’t been for some time) to an extrusion prevention/IP Leakage vendor like Vericept?

Crossbeam doesn’t suffer from having to wait to acquire technology and then spend 18 months butchering it to get it to work within the existing platforms (or build yet another point-solution appliance.) We do our research in advance and when the time is right – and the customers desire it – we bring a partner’s application(s) onto the platform.

4. Just because two things are branded with the same name doesn’t mean they can communicate or interoperate well; just ask my wife

Nope, and we’re not going to. Neither will Cisco because they have no reason to if the entire network — and all the security components within — is theirs. In fact, it’s within their interests to not have this happen. If it did, it would just make your arguments weaker.

I’m just dinging the message and the messenger. Our “app-level integration” is approached from a different perspective that starts first with consolidation of functions, virtualization of transport, application and policy then with the capability to flexibly pass flows through combinations of these virtual security stacks managed by the discrete parties charged with their care. Best of breed functions that can be added to in an open platform without the need for a bunch of point solutions.

In large networks, the people responsible for FW are different than those responsible for IDS, are different than those responsible for XML, etc. They’re still very, very vertically-stovepiped.

We don’t need to boil the ocean and we don’t. We still have work to do on providing the overall global view of how traffic moves and is affected through these stacks, but we’re not the one blowing smoke about how this supposedly all works today.

That would be your job 😉

6. The dirty little secret of embedding security in the “network” is that it’s the same as doing it with point-appliances…a single vendor’s set of appliances

Yes, it’s true: if Cisco succeeds in embedding security into its mainline products, you are going to be using Cisco security products. Diversity and consumer choice are valid arguments against Cisco.

But there’s one way in which using embedded security demonstrably isn’t the same as using point products: you don’t have to deploy point products to do it.

I call bullshit. If you look at the slides in my preso, I can count over 13 different “point solutions” that aren’t routers and switches which are today relied upon to deploy this supposed “embedded” security. The only difference between Cisco’s approach to embedded security and the appliance model is that the “appliances” are all Cisco’s.

Just because they have a Cisco label on it doesn’t make it “embedded.”

7. Modeling the security of the self-defending network after the human immune system and suggesting that it’s the ultimate analog is a crappy idea; people die

Yes. What I hate about Cisco’s solutions is that you have to let a few machines on your network get infected for them to generate antigens; also, when Cisco’s security features coagulate around injuries, YouTube gets really slow.

Puff, puff, pass. Puff, puff, pass. You’re f-in up the rotation…man!

Please point me to a single customer in the world who has a self-defending network that functions like this. Oh, that’s right, it’s the marketecture that you referred to in your first point and forgot that it doesn’t, actually, exist. If YouTube being slow was the biggest problem businesses had today, you wouldn’t be employed either, T.

8. Security solely by acquisition does not make you a security company… just like acquiring lots of security “stuff” does not make you secure

You sure this is a good argument to make for a company that delivers 99% of its security value prop through partnerships with other companies?

Let’s ask the mean question: using product space names and market position (ie, “the #5 IPS vendor”), name some of the companies Crossbeam has turned down as partners? Cisco’s kind of picky about what it buys, you know.

It’s absolutely the right argument to make. I guarantee you that the model of being customer-driven to take the best-in-breed security solutions from true security vendors and integrate it into a delivery architecture that is designed to do this rather than being force-fed into a retro-fit, works. Today.

Oh, I’d be more than glad to email you the list of 15-20 vendors over the last 6 months that we’ve said “no” to.

You’re about to hit my threshold trip-limit on how much of our business model you claim inside knowledge to…especially since you’re batting zero at this point.

9. Security in breadth is not the same thing as security in depth; “good enough” security is not good enough in the data center

What aspect of Cisco’s IPS is not “good enough” for the data center?

…the same one that loses to ISS, Sourcefire, and Enterasys every day. Want to ask the same about DDoS? I believe the answer there would be your own beloved Arbor.

People deploy Cisco’s solution usually in conjunction with other products or the same function. I think I’ve said enough.

Did you run your original post through the Babelfish English → Cisco parser before you copy/pasted it here, or what?

10. Securing everything, everywhere is not only unnecessary, it’s unachievable

It is if Cisco sells it at 10 points below cost in order to turn the entire network security market into a line-item feature for the Catalyst 6000.

So you admit that this is not about the efficacy of a solution but rather how much shit you have to give away for free to be called a market leader?

Actually, with the example above, Cisco now suggests you buy a completely separate 6509 into which you put all the security functions and turn it into a “security services switch” that is plugged into the “real” switching/routing fabric.

Sound familiar? It does to me.

I know it doesn’t sound that way, but I’m neither a fan of Cisco nor a skeptic about Chris. But his arguments don’t take Cisco seriously, and if we’re going to armchair quarterback the security industry, why be nice about that?

You’re right, it doesn’t. I still love you, though.

By the way, Lindstrom and I both looked at each other and laughed when we had lunch together at the show realizing that should you ever figure out we were in Chi-town and didn’t call you that you’d be grumpy. (I had no idea you lived in Chicago so it was all Pete’s fault.)